problem with XADS on windows 2000

Status
This thread has been Locked and is not open to further replies. Please start a New Thread if you're having a similar issue. View our Welcome Guide to learn how to use this site.

mark stuart

Thread Starter
Joined
Sep 2, 2004
Messages
7
Dear All,
My computer was hijacked recently and despite all my efforts, I can't get back to the blissful state when my computer functioned properly and Mcafee worked. I removed 180 search assistant but seem to have been left a legacy of a programme called XADS. MY operating system is Windows 2000 and I am posting my Hijackthis log below. Thanks in advance for any help you can give me.

MSH

Logfile of HijackThis v1.98.0
Scan saved at 1:46:19, on 04/09/2004
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\SYSTEM32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\WINNT\System32\svchost.exe
c:\PROGRA~1\mcafee.com\vso\mcvsrte.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\system32\MsPMSPSv.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\Explorer.EXE
C:\PROGRA~1\mcafee.com\vso\mcvsshld.exe
c:\program files\mcafee.com\agent\mcagent.exe
c:\progra~1\mcafee.com\vso\mcvsescn.exe
C:\WINNT\system32\carpserv.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\WINNT\system32\winampo.exe
C:\WINNT\system32\netsv32.exe
C:\WINNT\system32\yiwojh.exe
C:\WINNT\system32\internat.exe
C:\WINNT\system32\winampo.exe
C:\WINNT\system32\netsv32.exe
C:\WINNT\iDialer\Wanadoo-Tarifa Plana 24 horas Acelerador\idialer.exe
C:\WINNT\system32\wsass.exe
C:\WINNT\iDialer\Wanadoo Turbo\wturbo.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Outlook Express\msimn.exe
C:\PROGRA~1\WINZIP\winzip32.exe
C:\Documents and Settings\user.PC\Local Settings\Temp\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.eresmas.com/i2r/login2?to=www.wanadoo.es&nack=www.wanadoo.es
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.eresmas.com/i2r/login2?to=www.wanadoo.es&nack=www.wanadoo.es
O2 - BHO: MxTargetObj Class - {0000607D-D204-42C7-8E46-216055BF9918} - C:\WINNT\mxTarget.dll
O2 - BHO: PBlockHelper Class - {4115122B-85FF-4DD3-9515-F075BEDE5EB5} - C:\WINNT\iDialer\Wanadoo Turbo\pbhelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O2 - BHO: NLS UrlCatcher Class - {AEECBFDA-12FA-4881-BDCE-8C3E1CE4B344} - C:\WINNT\system32\nvms.dll
O2 - BHO: CB UrlCatcher Class - {CE188402-6EE7-4022-8868-AB25173A3E14} - C:\WINNT\system32\mscb.dll
O2 - BHO: ADP UrlCatcher Class - {F4E04583-354E-4076-BE7D-ED6A80FD66DA} - C:\WINNT\system32\msbe.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\system32\msdxm.ocx
O3 - Toolbar: McAfee VirusScan - {BA52B914-B692-46c4-B683-905236F6F655} - c:\progra~1\mcafee.com\vso\mcvsshl.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [NeroCheck] C:\WINNT\system32\NeroCheck.exe
O4 - HKLM\..\Run: [System Executable DLL Library] EXECDLL32.EXE
O4 - HKLM\..\Run: [Machine Debug Manager] mdms.exe
O4 - HKLM\..\Run: [Threaded] ntsyst32.exe
O4 - HKLM\..\Run: [KTAX Auto Loader] ktax.exe
O4 - HKLM\..\Run: [SysConfig] wincfg32.exe
O4 - HKLM\..\Run: [Video Process] MSIupdate.exe
O4 - HKLM\..\Run: [System] system32.exe
O4 - HKLM\..\Run: [Windows Clock Configuration] windowstm.exe
O4 - HKLM\..\Run: [VSOCheckTask] "c:\PROGRA~1\mcafee.com\vso\mcmnhdlr.exe" /checktask
O4 - HKLM\..\Run: [VirusScan Online] "c:\PROGRA~1\mcafee.com\vso\mcvsshld.exe"
O4 - HKLM\..\Run: [MCAgentExe] c:\PROGRA~1\mcafee.com\agent\mcagent.exe
O4 - HKLM\..\Run: [MCUpdateExe] C:\PROGRA~1\mcafee.com\agent\mcupdate.exe
O4 - HKLM\..\Run: [CARPService] carpserv.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [Fix Winamp] winampo.exe
O4 - HKLM\..\Run: [netsv32] netsv32.exe
O4 - HKLM\..\Run: [Configuration] ntsys32.exe
O4 - HKLM\..\Run: [rgrivruxsm] C:\WINNT\system32\yiwojh.exe
O4 - HKLM\..\Run: [Windows WKS] wsass.exe
O4 - HKLM\..\RunServices: [System Executable DLL Library] EXECDLL32.EXE
O4 - HKLM\..\RunServices: [Machine Debug Manager] mdms.exe
O4 - HKLM\..\RunServices: [Threaded] ntsyst32.exe
O4 - HKLM\..\RunServices: [KTAX Auto Loader] ktax.exe
O4 - HKLM\..\RunServices: [SysConfig] wincfg32.exe
O4 - HKLM\..\RunServices: [Video Process] MSIupdate.exe
O4 - HKLM\..\RunServices: [System] system32.exe
O4 - HKLM\..\RunServices: [Windows Clock Configuration] windowstm.exe
O4 - HKLM\..\RunServices: [Fix Winamp] winampo.exe
O4 - HKLM\..\RunServices: [netsv32] netsv32.exe
O4 - HKLM\..\RunServices: [Configuration] ntsys32.exe
O4 - HKLM\..\RunServices: [Configuration Loader] systemry.exe
O4 - HKLM\..\RunServices: [Windows WKS] wsass.exe
O4 - HKCU\..\Run: [internat.exe] internat.exe
O4 - HKCU\..\Run: [Machine Debug Manager] mdms.exe
O4 - HKCU\..\Run: [Fix Winamp] winampo.exe
O4 - HKCU\..\Run: [netsv32] netsv32.exe
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate into English - res://c:\program files\google\GoogleToolbar1.dll/cmtrans.html
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as5/asinst.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{0AE310EE-0A1E-46F4-B149-ED054561FB40}: NameServer = 62.36.225.150 62.37.228.20
O17 - HKLM\System\CCS\Services\Tcpip\..\{9E71CD56-5389-4F74-BC96-B3E2117FEC17}: NameServer = 62.42.230.135,62.42.230.136
 

Cookiegal

Administrator
Malware Specialist Coordinator
Joined
Aug 27, 2003
Messages
116,501
First Name
Karen
Please download the latest version of Hijack This 1.98.2 and be sure to save it to its own folder on your hard drive. Then post a new log please.

Please do this. Click here: http://www.majorgeeks.com/download3155.html to download Hijack This. It’s very important that you save it to its own folder on your hard drive, such as program files (not temporary files or the desktop), so that it can create proper back-ups and be able to restore them if necessary.
 

mark stuart

Thread Starter
Joined
Sep 2, 2004
Messages
7
Dear Cookiegal,
Followed your instructions and here is the new log.

Logfile of HijackThis v1.98.2
Scan saved at 16:15:10, on 04/09/2004
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\SYSTEM32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\WINNT\System32\svchost.exe
c:\PROGRA~1\mcafee.com\vso\mcvsrte.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\system32\MsPMSPSv.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\Explorer.EXE
c:\PROGRA~1\mcafee.com\vso\mcshield.exe
C:\PROGRA~1\mcafee.com\vso\mcvsshld.exe
C:\PROGRA~1\mcafee.com\agent\mcagent.exe
c:\progra~1\mcafee.com\vso\mcvsescn.exe
C:\WINNT\system32\carpserv.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\WINNT\system32\winampo.exe
C:\WINNT\system32\netsv32.exe
C:\WINNT\system32\yiwojh.exe
C:\WINNT\system32\internat.exe
C:\WINNT\system32\winampo.exe
C:\WINNT\system32\netsv32.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Outlook Express\msimn.exe
C:\Program Files\Real\RealOne Player\RealPlay.exe
C:\WINNT\iDialer\Wanadoo-Tarifa Plana 24 horas Acelerador\idialer.exe
C:\Program Files\Real\RealOne Player\RealPlay.exe
C:\WINNT\iDialer\Wanadoo Turbo\wturbo.exe
C:\PROGRA~1\WINZIP\winzip32.exe
C:\Documents and Settings\user.PC\Local Settings\Temp\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.eresmas.com/i2r/login2?to=www.wanadoo.es&nack=www.wanadoo.es
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.eresmas.com/i2r/login2?to=www.wanadoo.es&nack=www.wanadoo.es
O2 - BHO: MxTargetObj Class - {0000607D-D204-42C7-8E46-216055BF9918} - C:\WINNT\mxTarget.dll
O2 - BHO: PBlockHelper Class - {4115122B-85FF-4DD3-9515-F075BEDE5EB5} - C:\WINNT\iDialer\Wanadoo Turbo\pbhelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O2 - BHO: NLS UrlCatcher Class - {AEECBFDA-12FA-4881-BDCE-8C3E1CE4B344} - C:\WINNT\system32\nvms.dll
O2 - BHO: CB UrlCatcher Class - {CE188402-6EE7-4022-8868-AB25173A3E14} - C:\WINNT\system32\mscb.dll
O2 - BHO: ADP UrlCatcher Class - {F4E04583-354E-4076-BE7D-ED6A80FD66DA} - C:\WINNT\system32\msbe.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\system32\msdxm.ocx
O3 - Toolbar: McAfee VirusScan - {BA52B914-B692-46c4-B683-905236F6F655} - c:\progra~1\mcafee.com\vso\mcvsshl.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [NeroCheck] C:\WINNT\system32\NeroCheck.exe
O4 - HKLM\..\Run: [System Executable DLL Library] EXECDLL32.EXE
O4 - HKLM\..\Run: [Machine Debug Manager] mdms.exe
O4 - HKLM\..\Run: [Threaded] ntsyst32.exe
O4 - HKLM\..\Run: [KTAX Auto Loader] ktax.exe
O4 - HKLM\..\Run: [SysConfig] wincfg32.exe
O4 - HKLM\..\Run: [Video Process] MSIupdate.exe
O4 - HKLM\..\Run: [System] system32.exe
O4 - HKLM\..\Run: [Windows Clock Configuration] windowstm.exe
O4 - HKLM\..\Run: [VSOCheckTask] "c:\PROGRA~1\mcafee.com\vso\mcmnhdlr.exe" /checktask
O4 - HKLM\..\Run: [VirusScan Online] "c:\PROGRA~1\mcafee.com\vso\mcvsshld.exe"
O4 - HKLM\..\Run: [MCAgentExe] c:\PROGRA~1\mcafee.com\agent\mcagent.exe
O4 - HKLM\..\Run: [MCUpdateExe] C:\PROGRA~1\mcafee.com\agent\mcupdate.exe
O4 - HKLM\..\Run: [CARPService] carpserv.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [Fix Winamp] winampo.exe
O4 - HKLM\..\Run: [Configuration] ntsys32.exe
O4 - HKLM\..\Run: [rgrivruxsm] C:\WINNT\system32\yiwojh.exe
O4 - HKLM\..\RunServices: [System Executable DLL Library] EXECDLL32.EXE
O4 - HKLM\..\RunServices: [Machine Debug Manager] mdms.exe
O4 - HKLM\..\RunServices: [Threaded] ntsyst32.exe
O4 - HKLM\..\RunServices: [KTAX Auto Loader] ktax.exe
O4 - HKLM\..\RunServices: [SysConfig] wincfg32.exe
O4 - HKLM\..\RunServices: [Video Process] MSIupdate.exe
O4 - HKLM\..\RunServices: [System] system32.exe
O4 - HKLM\..\RunServices: [Windows Clock Configuration] windowstm.exe
O4 - HKLM\..\RunServices: [Fix Winamp] winampo.exe
O4 - HKLM\..\RunServices: [Configuration] ntsys32.exe
O4 - HKLM\..\RunServices: [Configuration Loader] systemry.exe
O4 - HKCU\..\Run: [internat.exe] internat.exe
O4 - HKCU\..\Run: [Machine Debug Manager] mdms.exe
O4 - HKCU\..\Run: [Fix Winamp] winampo.exe
O4 - HKCU\..\Run: [netsv32] netsv32.exe
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate into English - res://c:\program files\google\GoogleToolbar1.dll/cmtrans.html
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as5/asinst.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{0AE310EE-0A1E-46F4-B149-ED054561FB40}: NameServer = 62.36.225.150 62.37.228.20
O17 - HKLM\System\CCS\Services\Tcpip\..\{9E71CD56-5389-4F74-BC96-B3E2117FEC17}: NameServer = 62.42.230.135,62.42.230.136
 

Cookiegal

Administrator
Malware Specialist Coordinator
Joined
Aug 27, 2003
Messages
116,501
First Name
Karen
Go to Control Panel - Add/Remove programs and delete this if there:

Twain-Tech


Rescan with Hijack This, close all browser windows except Hijack This, put a check mark beside these entries and click “fix checked”.

O2 - BHO: MxTargetObj Class - {0000607D-D204-42C7-8E46-216055BF9918} - C:\WINNT\mxTarget.dll

O2 - BHO: NLS UrlCatcher Class - {AEECBFDA-12FA-4881-BDCE-8C3E1CE4B344} - C:\WINNT\system32\nvms.dll

O2 - BHO: CB UrlCatcher Class - {CE188402-6EE7-4022-8868-AB25173A3E14} - C:\WINNT\system32\mscb.dll

O2 - BHO: ADP UrlCatcher Class - {F4E04583-354E-4076-BE7D-ED6A80FD66DA} - C:\WINNT\system32\msbe.dll

O4 - HKLM\..\Run: [System Executable DLL Library] EXECDLL32.EXE

O4 - HKLM\..\Run: [Machine Debug Manager] mdms.exe

O4 - HKLM\..\Run: [Threaded] ntsyst32.exe

O4 - HKLM\..\Run: [KTAX Auto Loader] ktax.exe

O4 - HKLM\..\Run: [SysConfig] wincfg32.exe

O4 - HKLM\..\Run: [Video Process] MSIupdate.exe

O4 - HKLM\..\Run: [System] system32.exe

O4 - HKLM\..\Run: [Windows Clock Configuration] windowstm.exe

O4 - HKLM\..\Run: [Fix Winamp] winampo.exe

O4 - HKLM\..\Run: [Configuration] ntsys32.exe

O4 - HKLM\..\Run: [rgrivruxsm] C:\WINNT\system32\yiwojh.exe

O4 - HKLM\..\RunServices: [System Executable DLL Library] EXECDLL32.EXE

O4 - HKLM\..\RunServices: [Machine Debug Manager] mdms.exe

O4 - HKLM\..\RunServices: [Threaded] ntsyst32.exe

O4 - HKLM\..\RunServices: [KTAX Auto Loader] ktax.exe

O4 - HKLM\..\RunServices: [SysConfig] wincfg32.exe

O4 - HKLM\..\RunServices: [Video Process] MSIupdate.exe

O4 - HKLM\..\RunServices: [System] system32.exe

O4 - HKLM\..\RunServices: [Windows Clock Configuration] windowstm.exe

O4 - HKLM\..\RunServices: [Fix Winamp] winampo.exe

O4 - HKLM\..\RunServices: [Configuration] ntsys32.exe

O4 - HKLM\..\RunServices: [Configuration Loader] systemry.exe

O4 - HKCU\..\Run: [Machine Debug Manager] mdms.exe

O4 - HKCU\..\Run: [Fix Winamp] winampo.exe

O4 - HKCU\..\Run: [netsv32] netsv32.exe


Then boot to safe mode (see how below), locate and delete these files and/or folders:

EXECDLL32.EXE - file
mdms.exe - file
ntsyst32.exe - file
ktax.exe - file
wincfg32.exe - file
MSIupdate.exe - file
system32.exe - file
windowstm.exe - file
winampo.exe - file
C:\WINNT\system32\yiwojh.exe - file
systemry.exe - file
netsv32.exe

How to restart to safe mode:
http://service1.symantec.com/SUPPOR...2001052409420406?OpenDocument&src=sec_doc_nam

These files may be hidden so double-click on My Computer. Go to Control Panel - Tools - folder options. Click on view tab and make sure “show hidden files and folders” is checked. Uncheck “Hide file extensions for known file types”. Uncheck “hide protected operating system files”. Click Apply then O.K.

Then reboot and post another log please.
 

mark stuart

Thread Starter
Joined
Sep 2, 2004
Messages
7
Dear Cookiegal,
After burning the midnight lamp, all alone, I managed to remove all the hijackers. I guess I will be doing the same tonight to improve my security.
A donation will be on its way!

Thanks again!

Logfile of HijackThis v1.98.2
Scan saved at 10:15:33, on 05/09/2004
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\SYSTEM32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\WINNT\System32\svchost.exe
c:\PROGRA~1\mcafee.com\vso\mcvsrte.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\system32\MsPMSPSv.exe
C:\WINNT\system32\svchost.exe
c:\PROGRA~1\mcafee.com\vso\mcshield.exe
C:\WINNT\Explorer.EXE
C:\PROGRA~1\mcafee.com\vso\mcvsshld.exe
C:\PROGRA~1\mcafee.com\agent\mcagent.exe
c:\progra~1\mcafee.com\vso\mcvsescn.exe
C:\PROGRA~1\mcafee.com\agent\mcupdate.exe
C:\WINNT\system32\carpserv.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\WINNT\system32\internat.exe
C:\PROGRA~1\WINZIP\winzip32.exe
C:\Documents and Settings\user.PC\Local Settings\Temp\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.eresmas.com/i2r/login2?to=www.wanadoo.es&nack=www.wanadoo.es
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.eresmas.com/i2r/login2?to=www.wanadoo.es&nack=www.wanadoo.es
O2 - BHO: PBlockHelper Class - {4115122B-85FF-4DD3-9515-F075BEDE5EB5} - C:\WINNT\iDialer\Wanadoo Turbo\pbhelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\system32\msdxm.ocx
O3 - Toolbar: McAfee VirusScan - {BA52B914-B692-46c4-B683-905236F6F655} - c:\progra~1\mcafee.com\vso\mcvsshl.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [NeroCheck] C:\WINNT\system32\NeroCheck.exe
O4 - HKLM\..\Run: [VSOCheckTask] "c:\PROGRA~1\mcafee.com\vso\mcmnhdlr.exe" /checktask
O4 - HKLM\..\Run: [VirusScan Online] "c:\PROGRA~1\mcafee.com\vso\mcvsshld.exe"
O4 - HKLM\..\Run: [MCAgentExe] c:\PROGRA~1\mcafee.com\agent\mcagent.exe
O4 - HKLM\..\Run: [MCUpdateExe] C:\PROGRA~1\mcafee.com\agent\mcupdate.exe
O4 - HKLM\..\Run: [CARPService] carpserv.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKCU\..\Run: [internat.exe] internat.exe
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate into English - res://c:\program files\google\GoogleToolbar1.dll/cmtrans.html
O17 - HKLM\System\CCS\Services\Tcpip\..\{9E71CD56-5389-4F74-BC96-B3E2117FEC17}: NameServer = 62.42.230.135,62.42.230.136
 

mark stuart

Thread Starter
Joined
Sep 2, 2004
Messages
7
Dear Cookiegals and guys,
I am struggling to remove SDBOT from my computer. I did what you would normally do to remove it but it keeps reappearing and I think it represents a break in my defences, allowing others in through the backdoor, as it were.

Thank you!

MSH
 
Joined
Feb 23, 2003
Messages
16,274
Download Adaware SE http://www.lavasoftusa.com/support/download/
The first step is updating your Ad-Aware SE. You can do this by going to the bottom right corner and clicking on the link that says "Check for Updates Now".
Press "Continue" on the bottom right on your screen
Next another pop-up will pop-up saying what type of update it is and what to do, press "Okay" and a download screen will come up downloading the update. Press "Finish" after the update is downloaded. Now select "Finish" then on the bvottom right of your Adaware screen click "Start".
A new screen will pop-up and will say "Select a scan mode". You want to click "Use Custom Scanning Mode". Before you press "Start" on the bottom right click "Customize" right next to "Use Custom Scanning Mode".

Select the following:

In the General tab select:
Keep it all the same

In the Scanning tab select:
Under Drivers Folders and Files-select Scan within archives
Under Memory and Registry select all that is underneath it!
Make sure your harddrive is selected when you press "Select Drives and Folders to scan"

In the Advanced tab select:
Make sure you have everything under the "Logfile Detail Level" selected.
(This makes it easier for people from Lavasoft forums see what options you have selected)

In the Startup, Defaults, and Interface tab select nothing.


In the Tweak tab select:
You may not be able to select certain things in the tweak tab, but do not be alarmed.
Under scanning engine select:
"Unload recognized processes during scanning"
"Scan registry for all users instead of current users only"
Under Cleaning Engine select:
"Always try to unload modules before deletion"
"During removal unload Explorer and IE if necessary"
"Let Windows remove files in use at next boot"
"Delete Quarantined objects after restoring"
Under log files:
"Include Basic Ad-Aware settings in log file"
"Include additional Ad-Aware settings in log file"
"Include reference summary in log file"
"Include used command line parameters in log file"
All of the other links are just fine.

Press "Proceed" to save the settings


Press "Next" on the bottom right hand corner.
Ad-Aware SE will scan your computer for possible spyware threats or anything that you have on your computer that maybe spyware.
Then click ”Next “ to remove any objects found_

______________________________________________________________
Create a folder on your hard drive somewhere like in "My Documents" and name it Hijackthis
Download 'Hijack This to its own folder http://www.dotcomsecurity.org/downloads/HijackThis.exe
Doubleclick HijackThis.exe, and hit "Scan".

When the scan is finished, the "Scan" button will change into a "Save Log" button.
Press that, save the log, load it in Notepad, and copy its contents here.


Most of what it lists
will be harmless or even essential, don't fix anything yet.
__________________
 

Cookiegal

Administrator
Malware Specialist Coordinator
Joined
Aug 27, 2003
Messages
116,501
First Name
Karen
I did give you lots of homework didn't I? :D Well you get an A+ on the assignment. The log looks good now.

How's everything running?
 

mark stuart

Thread Starter
Joined
Sep 2, 2004
Messages
7
Dear Cookiegal,
Thanks again for your help. I'm just trying to remove SDBOT but it keeps hiding itself in other folders to which access is denied. I followed MOBY's instructions on AD AWARE, which I have been using but I think someone has gained access to my computer and can therefore see that I'm on to him/her.

I spent the entire morning updating my service pack but I am determined to rid myself of the intruder as I view the internet as a brother and hijackers as a Davidian sect trying to put him under their control.

Thanks again and thanks also to Moby!

MSH
 

mark stuart

Thread Starter
Joined
Sep 2, 2004
Messages
7
Dear Cookiegal and MOBO,
Thanks for your suggestions, I did all the homework set but I still have an unwelcome guest, called SDBOT.

I keep evicting ntsv32 and Msgfix.exe but the little swines don't want to leave and they seem to occupy new files in a vain attempt to conceal themselves.

Yours frustratingly,

MSH
 

Cookiegal

Administrator
Malware Specialist Coordinator
Joined
Aug 27, 2003
Messages
116,501
First Name
Karen
Please post another log.
 

Cookiegal

Administrator
Malware Specialist Coordinator
Joined
Aug 27, 2003
Messages
116,501
First Name
Karen
I also merged the two threads together.
 

mark stuart

Thread Starter
Joined
Sep 2, 2004
Messages
7
Dear Cookiegal,
My wife said that she had to delete an e-mail I sent her because her computer detected a virus. I have run adaware, I have McAfee running but it only detects SDBOT in msgfix and I've done everything to try and rid myself of these intruders.

For what it's worth, you solved my problem with XADS.

Many thanks,
Logfile of HijackThis v1.98.2
Scan saved at 23:44:08, on 08/09/2004
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\SYSTEM32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\system32\MsPMSPSv.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\Explorer.EXE
C:\PROGRA~1\mcafee.com\agent\mcagent.exe
c:\progra~1\mcafee.com\vso\mcvsescn.exe
C:\WINNT\system32\carpserv.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\WINNT\system32\internat.exe
C:\WINNT\iDialer\Wanadoo-Tarifa Plana 24 horas Acelerador\idialer.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINNT\iDialer\Wanadoo Turbo\wturbo.exe
C:\Program Files\Outlook Express\MSIMN.EXE
c:\PROGRA~1\mcafee.com\vso\mcvsshld.exe
c:\PROGRA~1\mcafee.com\vso\mcvsrte.exe
c:\PROGRA~1\mcafee.com\vso\mcshield.exe
C:\PROGRA~1\WINZIP\winzip32.exe
C:\Documents and Settings\user.PC\Local Settings\Temp\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.eresmas.com/i2r/login2?to=www.wanadoo.es&nack=www.wanadoo.es
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.eresmas.com/i2r/login2?to=www.wanadoo.es&nack=www.wanadoo.es
O2 - BHO: PBlockHelper Class - {4115122B-85FF-4DD3-9515-F075BEDE5EB5} - C:\WINNT\iDialer\Wanadoo Turbo\pbhelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\system32\msdxm.ocx
O3 - Toolbar: McAfee VirusScan - {BA52B914-B692-46c4-B683-905236F6F655} - c:\progra~1\mcafee.com\vso\mcvsshl.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [NeroCheck] C:\WINNT\system32\NeroCheck.exe
O4 - HKLM\..\Run: [VSOCheckTask] "c:\PROGRA~1\mcafee.com\vso\mcmnhdlr.exe" /checktask
O4 - HKLM\..\Run: [VirusScan Online] "c:\PROGRA~1\mcafee.com\vso\mcvsshld.exe"
O4 - HKLM\..\Run: [MCAgentExe] c:\PROGRA~1\mcafee.com\agent\mcagent.exe
O4 - HKLM\..\Run: [MCUpdateExe] C:\PROGRA~1\mcafee.com\agent\mcupdate.exe
O4 - HKLM\..\Run: [CARPService] carpserv.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [CleanUp] C:\PROGRA~1\McAfee.com\Shared\mcappins.exe /v=3 /cleanup
O4 - HKCU\..\Run: [internat.exe] internat.exe
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate into English - res://c:\program files\google\GoogleToolbar1.dll/cmtrans.html
O17 - HKLM\System\CCS\Services\Tcpip\..\{0AE310EE-0A1E-46F4-B149-ED054561FB40}: NameServer = 62.36.225.150 62.37.228.20
O17 - HKLM\System\CCS\Services\Tcpip\..\{9E71CD56-5389-4F74-BC96-B3E2117FEC17}: NameServer = 62.42.230.135,62.42.230.136


MSH
 

Cookiegal

Administrator
Malware Specialist Coordinator
Joined
Aug 27, 2003
Messages
116,501
First Name
Karen
Please give me the entire path to these offending files that you're trying to get rid of.

What happened when you did the on-line scans? Did they detect anything?
 
Status
This thread has been Locked and is not open to further replies. Please start a New Thread if you're having a similar issue. View our Welcome Guide to learn how to use this site.

Users Who Are Viewing This Thread (Users: 0, Guests: 1)

As Seen On
As Seen On...

Welcome to Tech Support Guy!

Are you looking for the solution to your computer problem? Join our site today to ask your question. This site is completely free -- paid for by advertisers and donations.

If you're not already familiar with forums, watch our Welcome Guide to get started.

Join over 807,865 other people just like you!

Latest posts

Staff online

Members online

Top